This one is rare and you will probably never see it in your career, but since it's there on the list, I still owe you an explanation. This attack can be executed on any system that serializes/deserializes data. This attack can be achieved when the attacker modifies the application's logic or tries to run a remote code execution if there are objects in the application that can change behavior or execute during or after deserialization.